Trying to use client certificates but no success so far - stunnel-users

19 Mar 2010


      Hello,
I'm trying to set up sTunnel to use client certificates in the following
arrangement:
Client Java Server (HTTP) --> sTunnel (HTTPS w/client cert) --> Windows IIS
SOAP service, requires client cert
The client certificate was generated from a MS CA cert generation tool, one
we use for our internal certificates and our internal CA. The client cert
was generated as a .pfx file and I used OpenSSL to convert it to a .pem file
with the -nodes option.
Testing without the client certificates shows that if the IIS hosted SOAP
service is set to not require a client certificate, the sTunnel
configuration works and we're able to communicate between the HTTP only
client and the HTTPS IIS hosted service.
However, once we add the certificate, the communication stops at the
handshake. I'm wondering if I need to change the client .pem cert to have
the private key (don't use the -nodes option when converting using OpenSSL).
Here is the contents of the .conf file:
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular
configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = user_cert.pem
key = user_cert.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = c:\temp\stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
[http]
accept = 8090
connect = 10.12.32.164:443
TIMEOUTclose = 0
; vim:ft=dosini
Here is the output from the log file showing two attempts to hit the service
with the client cert, one from a browser and one from a bit of client code:
2010.03.19 09:58:27 LOG5[5864:4032]: Reading configuration from file
stunnel.conf
2010.03.19 09:58:27 LOG7[5864:4032]: RAND_status claims sufficient entropy
for the PRNG
2010.03.19 09:58:27 LOG7[5864:4032]: PRNG seeded successfully
2010.03.19 09:58:27 LOG7[5864:4032]: Certificate: user_cert.pem
2010.03.19 09:58:27 LOG7[5864:4032]: Certificate loaded
2010.03.19 09:58:27 LOG7[5864:4032]: Key file: user_cert.pem
2010.03.19 09:58:27 LOG7[5864:4032]: Private key loaded
2010.03.19 09:58:27 LOG7[5864:4032]: SSL context initialized for service
http
2010.03.19 09:58:27 LOG5[5864:4032]: Configuration successful
2010.03.19 09:58:27 LOG5[5864:4032]: No limit detected for the number of
clients
2010.03.19 09:58:27 LOG7[5864:4032]: FD=176 in non-blocking mode
2010.03.19 09:58:27 LOG7[5864:4032]: Option SO_REUSEADDR set on accept
socket
2010.03.19 09:58:27 LOG7[5864:4032]: Service http bound to 0.0.0.0:8090
2010.03.19 09:58:27 LOG7[5864:4032]: Service http opened FD=176
2010.03.19 09:58:27 LOG5[5864:4032]: stunnel 4.31 on x86-pc-mingw32-gnu with
OpenSSL 0.9.8l 5 Nov 2009
2010.03.19 09:58:27 LOG5[5864:4032]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
2010.03.19 09:59:42 LOG7[5864:3864]: Service http accepted FD=440 from
127.0.0.1:49886
2010.03.19 09:59:42 LOG7[5864:3864]: Creating a new thread
2010.03.19 09:59:42 LOG7[5864:3864]: New thread created
2010.03.19 09:59:42 LOG7[5864:4328]: Service http started
2010.03.19 09:59:42 LOG7[5864:4328]: FD=440 in non-blocking mode
2010.03.19 09:59:42 LOG7[5864:4328]: Option TCP_NODELAY set on local socket
2010.03.19 09:59:42 LOG5[5864:4328]: Service http accepted connection from
127.0.0.1:49886
2010.03.19 09:59:42 LOG7[5864:4328]: FD=460 in non-blocking mode
2010.03.19 09:59:42 LOG6[5864:4328]: connect_blocking: connecting
10.12.32.164:443
2010.03.19 09:59:42 LOG7[5864:4328]: connect_blocking: s_poll_wait
10.12.32.164:443: waiting 10 seconds
2010.03.19 09:59:42 LOG5[5864:4328]: connect_blocking: connected
10.12.32.164:443
2010.03.19 09:59:42 LOG5[5864:4328]: Service http connected remote server
from 10.12.47.109:49887
2010.03.19 09:59:42 LOG7[5864:4328]: Remote FD=460 initialized
2010.03.19 09:59:42 LOG7[5864:4328]: Option TCP_NODELAY set on remote socket
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): before/connect
initialization
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write client
hello A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server
hello A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server
certificate A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server
done A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write client
key exchange A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write change
cipher spec A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write
finished A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 flush data
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read
finished A
2010.03.19 09:59:42 LOG7[5864:4328]:    1 items in the session cache
2010.03.19 09:59:42 LOG7[5864:4328]:    1 client connects (SSL_connect())
2010.03.19 09:59:42 LOG7[5864:4328]:    1 client connects that finished
2010.03.19 09:59:42 LOG7[5864:4328]:    0 client renegotiations requested
2010.03.19 09:59:42 LOG7[5864:4328]:    0 server connects (SSL_accept())
2010.03.19 09:59:42 LOG7[5864:4328]:    0 server connects that finished
2010.03.19 09:59:42 LOG7[5864:4328]:    0 server renegotiations requested
2010.03.19 09:59:42 LOG7[5864:4328]:    0 session cache hits
2010.03.19 09:59:42 LOG7[5864:4328]:    0 external session cache hits
2010.03.19 09:59:42 LOG7[5864:4328]:    0 session cache misses
2010.03.19 09:59:42 LOG7[5864:4328]:    0 session cache timeouts
2010.03.19 09:59:42 LOG6[5864:4328]: SSL connected: new session negotiated
2010.03.19 09:59:42 LOG6[5864:4328]: Negotiated ciphers: RC4-SHA SSLv3
Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
2010.03.19 10:01:54 LOG3[5864:4328]: SSL_read: Connection reset by peer
(WSAECONNRESET) (10054)
2010.03.19 10:01:54 LOG5[5864:4328]: Connection reset: 568 bytes sent to
SSL, 0 bytes sent to socket
2010.03.19 10:01:54 LOG7[5864:4328]: Service http finished (0 left)
2010.03.19 10:03:28 LOG7[5864:3864]: Service http accepted FD=476 from
127.0.0.1:50155
2010.03.19 10:03:28 LOG7[5864:3864]: Creating a new thread
2010.03.19 10:03:28 LOG7[5864:3864]: New thread created
2010.03.19 10:03:28 LOG7[5864:1216]: Service http started
2010.03.19 10:03:28 LOG7[5864:1216]: FD=476 in non-blocking mode
2010.03.19 10:03:28 LOG7[5864:1216]: Option TCP_NODELAY set on local socket
2010.03.19 10:03:28 LOG5[5864:1216]: Service http accepted connection from
127.0.0.1:50155
2010.03.19 10:03:28 LOG7[5864:1216]: FD=440 in non-blocking mode
2010.03.19 10:03:28 LOG6[5864:1216]: connect_blocking: connecting
10.12.32.164:443
2010.03.19 10:03:28 LOG7[5864:1216]: connect_blocking: s_poll_wait
10.12.32.164:443: waiting 10 seconds
2010.03.19 10:03:28 LOG5[5864:1216]: connect_blocking: connected
10.12.32.164:443
2010.03.19 10:03:28 LOG5[5864:1216]: Service http connected remote server
from 10.12.47.109:50156
2010.03.19 10:03:28 LOG7[5864:1216]: Remote FD=440 initialized
2010.03.19 10:03:28 LOG7[5864:1216]: Option TCP_NODELAY set on remote socket
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): before/connect
initialization
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write client
hello A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 read server
hello A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 read
finished A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write change
cipher spec A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write
finished A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 flush data
2010.03.19 10:03:28 LOG7[5864:1216]:    1 items in the session cache
2010.03.19 10:03:28 LOG7[5864:1216]:    2 client connects (SSL_connect())
2010.03.19 10:03:28 LOG7[5864:1216]:    2 client connects that finished
2010.03.19 10:03:28 LOG7[5864:1216]:    0 client renegotiations requested
2010.03.19 10:03:28 LOG7[5864:1216]:    0 server connects (SSL_accept())
2010.03.19 10:03:28 LOG7[5864:1216]:    0 server connects that finished
2010.03.19 10:03:29 LOG7[5864:1216]:    0 server renegotiations requested
2010.03.19 10:03:29 LOG7[5864:1216]:    1 session cache hits
2010.03.19 10:03:29 LOG7[5864:1216]:    0 external session cache hits
2010.03.19 10:03:29 LOG7[5864:1216]:    0 session cache misses
2010.03.19 10:03:29 LOG7[5864:1216]:    0 session cache timeouts
2010.03.19 10:03:29 LOG6[5864:1216]: SSL connected: previous session reused
2010.03.19 10:04:28 LOG7[5864:1216]: Socket closed on read
2010.03.19 10:04:28 LOG7[5864:1216]: SSL write shutdown
2010.03.19 10:04:28 LOG7[5864:1216]: SSL alert (write): warning: close
notify
2010.03.19 10:04:28 LOG6[5864:1216]: SSL_shutdown successfully sent
close_notify
2010.03.19 10:04:28 LOG6[5864:1216]: s_poll_wait timeout: connection close
2010.03.19 10:04:28 LOG5[5864:1216]: Connection closed: 1541 bytes sent to
SSL, 25 bytes sent to socket
2010.03.19 10:04:28 LOG7[5864:1216]: Service http finished (0 left)
Any hints would be appreciated!